a leading vendor in Privileged Access Management (PAM). PAM is an important
aspect of identity and access management that emphasizes protecting privileged
accounts, ensuring that they are protected from credential theft and unsafe
2020, we spoke to Thycotic’s Chief Information Security Officer (CISO) Terence
Jackson to talk about the Thycotic platform, the importance of privileged
access management, and the future of passwords.
What is Privileged Access Management?
the enterprise, users rely on usernames and passwords to access services and
devices. The security of each of these accounts is hugely important, but
protecting privileged accounts is crucial. Privileged accounts have administrative
level access, allowing users to make configuration changes to services and
for password management, and in particular PAM, comes from the difficulty of
managing all of the different accounts and passwords in an organization
there are five times more passwords in an environment than people,” Jackson
says. “That is problematic when passwords are not managed or rotated in a
proper way. IT departments create password systems, but passwords often don’t get
saved, or they never get rotated.” If privileged accounts are not properly
secured, organizations are vulnerable to compromise.
solutions, like Thycotic, solve the problem of managing the life cycle of
privileged accounts, including how they are created and rotated, Jackson says.
Key features of these solutions include creating audit trails that show which
privileged accounts did what and when. They also provide workflows, and
multi-factor authentication. “We secure the keys to the kingdom,” Jackson summarizes.
Why is Privileged Access Management Important?
high-level admin accounts is a crucial component of a strong security strategy against
external cyber-threats, no matter what your organization size or industry. “If
you look at data breaches, usually the adversary is after some sort of admin-based
credentials, so they can either extract data, make configuration changes, or
start prepping in the case of ransomware,” Jackson says.
But as well
as the outside threat from cyber-criminals, PAM is crucial to make sure your
organization is protected from insider threats, from users already in your network
not tracking who is accessing what accounts, you really don’t know what’s
happening across the enterprise,” Jackson says. He says that without proper
account and password management, with visibility into which who is accessing
what data, enterprises are at significant risk of rogue users being able to
compromise sensitive data. If passwords are not managed and rotated regularly,
even employees who have left the organization may still be able to access this
to help organizations prevent data theft, ransomware attacks and data
exfiltration,” Jackson says. “Users need the ability to audit account
management, rotate passwords either after each use, or every 30 days. In some
cases, organizations go as far as never exposing passwords to the end user.”
users get access through role-based access controls and single sign-on, tied in
with multi-factor authentication. With Thycotic, users can log into the
connection manager tool, and get access to all of the accounts that they should
be able to access, without ever having to know a password.
The Problems with Privileged Access Management
are living, breathing entities, with employees needing to access accounts with
as little friction as possible. When there are five times as many passwords as
people, managing access can seem like a very frustrating task. Is there a
friction between PAM and employees that need to just get access and do their
answer is yes,” Jackson says, “If it’s not done properly.” Jackson says that Thycotic
have a focus on user experience and making the login process as frictionless as
possible. He also advises organizations not to consider PAM solutions that will
force the customer to change their process, but instead look for a solution
that will fit the way they currently work.
adaptable and configurable solution really reduces the friction,” Jackson says.
Having a difficult to use solution in place causes a lot of friction and anger
with end users, which in turn makes the solution less secure overall.
resourceful,” he says. “If they don’t like the way something works, they’ll
find backdoors and other ways around. We don’t want to make the organization
less secure post-install than they were pre-install!”
“So, a lot
of thinking goes into the design of the product and making sure it’s not
something that will cause friction within the organization.”
The Future of Passwords
are notoriously insecure. Despite years of IT teams doing their best to push
best password practices, it’s still all too often the case that users choose
unsecure passwords, and reuse passwords across the enterprise. This has led
many to predict that the password could soon be gone completely, at least in
the eyes of the end user, in order to improve the security of accounts
the demise of the password has been greatly exaggerated,” says Jackson. “In
regard to end users logging into their devices, absolutely passwords are on the
way out. But there are often forgotten passwords. If you look at most
organizations, they have tones of systems, and a lot of the authentication that
happens isn’t necessarily humans logging in or interacting with passwords. For
example, there is application to application passwords and developers put
passwords in scripts that are running other services. Those passwords are
probably not going anywhere anytime soon.”
Jackson believes there will be more focus on measures to make sure password
policies and best practices are followed now, such as following NIST guidance
on passwords, and of course implementing PAM to ensure that those crucial
privileged accounts are protected.
Thinking of Implementing a Privileged Access Management Solution?
advice for organizations considering a PAM solution is to look for an adaptable
and flexible platform. “Look at solutions that will be adaptable to the way
that you work, and not the other way around,” he says.
at the roadmap, look at where the company is going in two or three years, not
just quarter three or four this year. You want to look at a company that has
the ability to be agile, but also has an API first approach that can integrate
with the other tools you already have.”
“PAM is part of the journey, not the destination, so have a road-map and make sure you communicate with your team and wider operation, which will allow for your overall security strategy to progress.”
Editorial note: As of 2023, Thycotic merged with Centrify and is now known as Delinea.